search

DefectDojo / godojo

Golang installer for DefectDojo
GNU General Public License v3.0
23 stars 22 forks source link

A fresh install includes Debug and Test gear #52

Closed noloader closed 2 years ago

noloader commented 2 years ago

I've got DefectDojo from the tip of Master running on Fedora 35 with Postgres. When I look at the installed warez I see a lot of debug and test gear. I don't think the debug and testing gear should be present after an install since it increases attack surface. It also takes time when trying to audit an installation. Finally, it adds to the backup and restore times.

And to be clear... prior to installation, you should run the tests. Once tested, you install the production stuff only (or delete the test gear).

It looks like there's about 2500 questionable files:

# cd /opt/dojo
# find . -iname '*test*' | wc -l
2556

And:

# cd /opt/dojo
# find . -iname '*test*'
./django-DefectDojo/.github/workflows/integration-tests.yml
./django-DefectDojo/.github/workflows/k8s-testing.yml
./django-DefectDojo/.github/workflows/test-helm-chart.yml
./django-DefectDojo/.github/workflows/unit-tests.yml
./django-DefectDojo/Dockerfile.integration-tests
./django-DefectDojo/components/node_modules/ast-transform/node_modules/esutils/test
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/build/test-prefix.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/build/test-suffix.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-api.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-array-set.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-base64-vlq.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-base64.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-binary-search.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-dog-fooding.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-source-map-consumer.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-source-map-generator.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-source-node.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-util.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/run-tests.js
...

And my apologies if I missed a setting in dojoConfig.yml. I don't recall seeing one for the installation type (debug vs release or production). godojo -help does say the following, but I did not use the -dev option:

  -dev
        OPTIONAL - Do an dev install with fixed values especially for testing
                   Must be used alone and without other arguments

I also see what may be test gear in the database. I am not sure if these are false positives. Given that there are tables like dojo_engagement_files and dojo_engagement_notes, it looks like the other ones could like dojo_test_files and dojo_test_notes are superfluous.

$ PGPASSWORD=XXXXXXXX psql -h localhost -U postgres dojodb
psql (13.4)

dojodb=# \dt
                           List of relations
 Schema |                   Name                    | Type  |   Owner   
--------+-------------------------------------------+-------+-----------
 public | auditlog_logentry                         | table | dojodbusr
 public | auth_group                                | table | dojodbusr
 public | auth_group_permissions                    | table | dojodbusr
 public | auth_permission                           | table | dojodbusr
 public | auth_user                                 | table | dojodbusr
 public | auth_user_groups                          | table | dojodbusr
 public | auth_user_user_permissions                | table | dojodbusr
 public | authtoken_token                           | table | dojodbusr
 public | django_admin_log                          | table | dojodbusr
 public | django_celery_results_chordcounter        | table | dojodbusr
 public | django_celery_results_groupresult         | table | dojodbusr
 public | django_celery_results_taskresult          | table | dojodbusr
 public | django_content_type                       | table | dojodbusr
 public | django_migrations                         | table | dojodbusr
 public | django_session                            | table | dojodbusr
 public | django_site                               | table | dojodbusr
 public | dojo_alerts                               | table | dojodbusr
 public | dojo_answer                               | table | dojodbusr
 public | dojo_answered_survey                      | table | dojodbusr
 public | dojo_app_analysis                         | table | dojodbusr
 public | dojo_app_analysis_tags                    | table | dojodbusr
 public | dojo_bannerconf                           | table | dojodbusr
 public | dojo_benchmark_category                   | table | dojodbusr
 public | dojo_benchmark_product                    | table | dojodbusr
 public | dojo_benchmark_product_notes              | table | dojodbusr
 public | dojo_benchmark_product_summary            | table | dojodbusr
 public | dojo_benchmark_requirement                | table | dojodbusr
 public | dojo_benchmark_requirement_cwe_mapping    | table | dojodbusr
 public | dojo_benchmark_requirement_testing_guide  | table | dojodbusr
 public | dojo_benchmark_type                       | table | dojodbusr
 public | dojo_burprawrequestresponse               | table | dojodbusr
 public | dojo_check_list                           | table | dojodbusr
 public | dojo_check_list_auth_issues               | table | dojodbusr
 public | dojo_check_list_author_issues             | table | dojodbusr
 public | dojo_check_list_config_issues             | table | dojodbusr
 public | dojo_check_list_crypto_issues             | table | dojodbusr
 public | dojo_check_list_data_issues               | table | dojodbusr
 public | dojo_check_list_other_issues              | table | dojodbusr
 public | dojo_check_list_sensitive_issues          | table | dojodbusr
 public | dojo_check_list_session_issues            | table | dojodbusr
 public | dojo_child_rule                           | table | dojodbusr
 public | dojo_choice                               | table | dojodbusr
 public | dojo_choiceanswer                         | table | dojodbusr
 public | dojo_choiceanswer_answer                  | table | dojodbusr
 public | dojo_choicequestion                       | table | dojodbusr
 public | dojo_choicequestion_choices               | table | dojodbusr
 public | dojo_cobaltio_product                     | table | dojodbusr
 public | dojo_contact                              | table | dojodbusr
 public | dojo_cred_mapping                         | table | dojodbusr
 public | dojo_cred_user                            | table | dojodbusr
 public | dojo_cred_user_notes                      | table | dojodbusr
 public | dojo_cwe                                  | table | dojodbusr
 public | dojo_development_environment              | table | dojodbusr
 public | dojo_dojo_group                           | table | dojodbusr
 public | dojo_dojo_group_member                    | table | dojodbusr
 public | dojo_dojometa                             | table | dojodbusr
 public | dojo_endpoint                             | table | dojodbusr
 public | dojo_endpoint_endpoint_params             | table | dojodbusr
 public | dojo_endpoint_endpoint_status             | table | dojodbusr
 public | dojo_endpoint_params                      | table | dojodbusr
 public | dojo_endpoint_status                      | table | dojodbusr
 public | dojo_endpoint_tags                        | table | dojodbusr
 public | dojo_engagement                           | table | dojodbusr
 public | dojo_engagement_files                     | table | dojodbusr
 public | dojo_engagement_notes                     | table | dojodbusr
 public | dojo_engagement_presets                   | table | dojodbusr
 public | dojo_engagement_presets_network_locations | table | dojodbusr
 public | dojo_engagement_presets_test_type         | table | dojodbusr
 public | dojo_engagement_risk_acceptance           | table | dojodbusr
 public | dojo_engagement_survey                    | table | dojodbusr
 public | dojo_engagement_survey_questions          | table | dojodbusr
 public | dojo_engagement_tags                      | table | dojodbusr
 public | dojo_fieldrule                            | table | dojodbusr
 public | dojo_fileaccesstoken                      | table | dojodbusr
 public | dojo_fileupload                           | table | dojodbusr
 public | dojo_finding                              | table | dojodbusr
 public | dojo_finding_endpoint_status              | table | dojodbusr
 public | dojo_finding_endpoints                    | table | dojodbusr
 public | dojo_finding_files                        | table | dojodbusr
 public | dojo_finding_found_by                     | table | dojodbusr
 public | dojo_finding_group                        | table | dojodbusr
 public | dojo_finding_group_findings               | table | dojodbusr
 public | dojo_finding_notes                        | table | dojodbusr
 public | dojo_finding_reviewers                    | table | dojodbusr
 public | dojo_finding_tags                         | table | dojodbusr
 public | dojo_finding_template                     | table | dojodbusr
 public | dojo_finding_template_tags                | table | dojodbusr
 public | dojo_general_survey                       | table | dojodbusr
 public | dojo_github_clone                         | table | dojodbusr
 public | dojo_github_conf                          | table | dojodbusr
 public | dojo_github_details_cache                 | table | dojodbusr
 public | dojo_github_issue                         | table | dojodbusr
 public | dojo_github_pkey                          | table | dojodbusr
 public | dojo_global_role                          | table | dojodbusr
 public | dojo_jira_instance                        | table | dojodbusr
 public | dojo_jira_issue                           | table | dojodbusr
 public | dojo_jira_project                         | table | dojodbusr
 public | dojo_language_type                        | table | dojodbusr
 public | dojo_languages                            | table | dojodbusr
 public | dojo_network_locations                    | table | dojodbusr
 public | dojo_note_type                            | table | dojodbusr
 public | dojo_notehistory                          | table | dojodbusr
 public | dojo_notes                                | table | dojodbusr
 public | dojo_notes_history                        | table | dojodbusr
 public | dojo_notifications                        | table | dojodbusr
 public | dojo_objects_engagement                   | table | dojodbusr
 public | dojo_objects_product                      | table | dojodbusr
 public | dojo_objects_product_tags                 | table | dojodbusr
 public | dojo_objects_review                       | table | dojodbusr
 public | dojo_product                              | table | dojodbusr
 public | dojo_product_api_scan_configuration       | table | dojodbusr
 public | dojo_product_authorized_users             | table | dojodbusr
 public | dojo_product_group                        | table | dojodbusr
 public | dojo_product_line                         | table | dojodbusr
 public | dojo_product_member                       | table | dojodbusr
 public | dojo_product_regulations                  | table | dojodbusr
 public | dojo_product_tags                         | table | dojodbusr
 public | dojo_product_type                         | table | dojodbusr
 public | dojo_product_type_authorized_users        | table | dojodbusr
 public | dojo_product_type_group                   | table | dojodbusr
 public | dojo_product_type_member                  | table | dojodbusr
 public | dojo_question                             | table | dojodbusr
 public | dojo_regulation                           | table | dojodbusr
 public | dojo_report_type                          | table | dojodbusr
 public | dojo_risk_acceptance                      | table | dojodbusr
 public | dojo_risk_acceptance_accepted_findings    | table | dojodbusr
 public | dojo_risk_acceptance_notes                | table | dojodbusr
 public | dojo_role                                 | table | dojodbusr
 public | dojo_rule                                 | table | dojodbusr
 public | dojo_rule_child_rules                     | table | dojodbusr
 public | dojo_sonarqube_issue                      | table | dojodbusr
 public | dojo_sonarqube_issue_transition           | table | dojodbusr
 public | dojo_sonarqube_product                    | table | dojodbusr
 public | dojo_stub_finding                         | table | dojodbusr
 public | dojo_system_settings                      | table | dojodbusr
 public | dojo_tagulous_app_analysis_tags           | table | dojodbusr
 public | dojo_tagulous_endpoint_tags               | table | dojodbusr
 public | dojo_tagulous_engagement_tags             | table | dojodbusr
 public | dojo_tagulous_finding_tags                | table | dojodbusr
 public | dojo_tagulous_finding_template_tags       | table | dojodbusr
 public | dojo_tagulous_objects_product_tags        | table | dojodbusr
 public | dojo_tagulous_product_tags                | table | dojodbusr
 public | dojo_tagulous_test_tags                   | table | dojodbusr
 public | dojo_test                                 | table | dojodbusr
 public | dojo_test_files                           | table | dojodbusr
 public | dojo_test_import                          | table | dojodbusr
 public | dojo_test_import_finding_action           | table | dojodbusr
 public | dojo_test_notes                           | table | dojodbusr
 public | dojo_test_tags                            | table | dojodbusr
 public | dojo_test_type                            | table | dojodbusr
 public | dojo_testing_guide                        | table | dojodbusr
 public | dojo_testing_guide_category               | table | dojodbusr
 public | dojo_textanswer                           | table | dojodbusr
 public | dojo_textquestion                         | table | dojodbusr
 public | dojo_tool_configuration                   | table | dojodbusr
 public | dojo_tool_product_history                 | table | dojodbusr
 public | dojo_tool_product_settings                | table | dojodbusr
 public | dojo_tool_product_settings_notes          | table | dojodbusr
 public | dojo_tool_type                            | table | dojodbusr
 public | dojo_usercontactinfo                      | table | dojodbusr
 public | social_auth_association                   | table | dojodbusr
 public | social_auth_code                          | table | dojodbusr
 public | social_auth_nonce                         | table | dojodbusr
 public | social_auth_partial                       | table | dojodbusr
 public | social_auth_usersocialauth                | table | dojodbusr
 public | tagging_tag                               | table | dojodbusr
 public | tagging_taggeditem                        | table | dojodbusr
 public | watson_searchentry                        | table | dojodbusr
(168 rows)
mtesauro commented 2 years ago

Taking these in order:

TLDR: Run the following when godojo is done installing:

rm -rf /opt/dojo/django-DefectDojo/tests
rm -rf /opt/dojo/django-DefectDojo/unittests

Assuming you didn't change the install root

More details:

(1) "It looks like there's about 2500 questionable files:"

One of the core data models of DefectDojo is 'test' so find/grep'ing for test won't give anything like accurate results. See the data model documentation for more details.

The application tests (unit/integration) are under tests and unittests directories in the root of the source which is /opt/dojo/django-DefectDojo/ for godojo installs with the default install location.

If you really don't want those files as part of your final install, a quick two rm -rf commands will clear those out once godojo has completed the install.

(2) " I don't recall seeing one for the installation type"

The purpose of the dev install is to quickly setup a DefectDojo installation where all the configs are known and use pre-defined values. This lets you make one config change to set type to 'dev' and have a consistent install configuration when you choose that option. Basically, it should only be used if you're QA testing or dev'ing on DefectDojo.

godojo uses the release tarball for getting the source code for DefectDojo - assuming you don't install at a specific commit or head of a branch. In those cased (branch/commit) you'll get the equivalent of a git clone from the repo and have all the source.

(3) I also see what may be test gear in the database

See the link above to the data models for DefectDojo - the tables you mention are valid tables. For example:

dojo_test_files - holds files uploaded/associated with a specific test in DefectDojo dojo_test_notes - holds note(s) added to a test in DefectDojo.

HTH